move corrupted cache cleanup from SecretStorage to WorkOsAuthProvider

tingwai · tingwai · commit a58149c6d62f · 2025-10-08T15:32:17.000-07:00
diff --git a/extensions/vscode/src/stubs/SecretStorage.ts b/extensions/vscode/src/stubs/SecretStorage.ts
@@ -59,50 +59,39 @@ export class SecretStorage {
   }
 
   async decrypt(filePath: string): Promise<string> {
-    try {
-      const key = await this.getOrCreateEncryptionKey();
-      const data = fs.readFileSync(filePath);
-
-      // Validate minimum data size to detect corruption early
-      const minSize = this.saltLength + this.ivLength + this.tagLength;
-      if (data.length < minSize) {
-        throw new Error(
-          `Corrupted cache file: insufficient data (${data.length} bytes, expected at least ${minSize})`,
-        );
-      }
-
-      const salt = data.subarray(0, this.saltLength);
-      const iv = data.subarray(
-        this.saltLength,
-        this.saltLength + this.ivLength,
-      );
-      const tag = data.subarray(
-        this.saltLength + this.ivLength,
-        this.saltLength + this.ivLength + this.tagLength,
-      );
-      const encrypted = data.subarray(
-        this.saltLength + this.ivLength + this.tagLength,
-      );
+    const key = await this.getOrCreateEncryptionKey();
+    const data = fs.readFileSync(filePath);
 
-      const decipher: crypto.DecipherGCM = crypto.createDecipheriv(
-        this.algorithm,
-        key,
-        iv,
-      ) as crypto.DecipherGCM;
-      decipher.setAuthTag(tag);
-
-      const decrypted = Buffer.concat([
-        decipher.update(encrypted),
-        decipher.final(),
-      ]);
-      return decrypted.toString("utf8");
-    } catch (error: any) {
-      // Log the error with context for debugging
-      console.error(`Failed to decrypt cache file ${filePath}:`, error.message);
+    // Validate minimum data size to detect corruption early
+    const minSize = this.saltLength + this.ivLength + this.tagLength;
+    if (data.length < minSize) {
       throw new Error(
-        `Cache decryption failed: ${error.message}. The cache file may be corrupted.`,
+        `Corrupted cache file: insufficient data (${data.length} bytes, expected at least ${minSize})`,
       );
     }
+
+    const salt = data.subarray(0, this.saltLength);
+    const iv = data.subarray(this.saltLength, this.saltLength + this.ivLength);
+    const tag = data.subarray(
+      this.saltLength + this.ivLength,
+      this.saltLength + this.ivLength + this.tagLength,
+    );
+    const encrypted = data.subarray(
+      this.saltLength + this.ivLength + this.tagLength,
+    );
+
+    const decipher: crypto.DecipherGCM = crypto.createDecipheriv(
+      this.algorithm,
+      key,
+      iv,
+    ) as crypto.DecipherGCM;
+    decipher.setAuthTag(tag);
+
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final(),
+    ]);
+    return decrypted.toString("utf8");
   }
 
   private keyToFilepath(key: string): string {
@@ -119,31 +108,17 @@ export class SecretStorage {
   async get(key: string): Promise<string | undefined> {
     const filePath = this.keyToFilepath(key);
     if (fs.existsSync(filePath)) {
-      try {
-        const value = await this.decrypt(filePath);
-        return value;
-      } catch (error: any) {
-        // Corrupted cache file - delete it and return undefined
-        // This allows the auth flow to continue with a fresh start
-        console.error(
-          `Corrupted cache file detected for key "${key}". Deleting file and returning undefined.`,
-          error.message,
-        );
-
-        try {
-          fs.unlinkSync(filePath);
-          console.log(`Successfully deleted corrupted cache file: ${filePath}`);
-        } catch (deleteError: any) {
-          console.error(
-            `Failed to delete corrupted cache file ${filePath}:`,
-            deleteError.message,
-          );
-        }
-
-        // Return undefined to signal missing data (same as if file didn't exist)
-        return undefined;
-      }
+      const value = await this.decrypt(filePath);
+      return value;
     }
     return undefined;
   }
+
+  async delete(key: string): Promise<void> {
+    const filePath = this.keyToFilepath(key);
+    if (fs.existsSync(filePath)) {
+      fs.unlinkSync(filePath);
+      console.log(`Successfully deleted cache file: ${filePath}`);
+    }
+  }
 }
diff --git a/extensions/vscode/src/stubs/WorkOsAuthProvider.ts b/extensions/vscode/src/stubs/WorkOsAuthProvider.ts
@@ -177,6 +177,18 @@ export class WorkOsAuthProvider implements AuthenticationProvider, Disposable {
       });
 
       console.warn(`Error retrieving or parsing sessions: ${e.message}`);
+
+      // Delete the corrupted cache file to allow fresh start on next attempt
+      // This handles cases where decryption succeeded but JSON parsing failed
+      try {
+        await this.secretStorage.delete(SESSIONS_SECRET_KEY);
+      } catch (deleteError: any) {
+        console.error(
+          `Failed to delete corrupted sessions cache:`,
+          deleteError.message,
+        );
+      }
+
       return [];
     }
   }
